search

hashicorp / terraform-plugin-testing

Module for testing Terraform providers
Mozilla Public License 2.0
45 stars 11 forks source link

Access private state when testing resources and data sources #321

Open marshallford opened 7 months ago

marshallford commented 7 months ago

terraform-plugin-testing version

❯ go list -m github.com/hashicorp/terraform-plugin-testing/...
github.com/hashicorp/terraform-plugin-testing v1.7.0

Use cases

Utilize and/or validate private state when testing resources or data sources.

Attempted solutions

N/A

Proposal

N/A

References

N/A

austinvalle commented 7 months ago

For future readers, there is an upstream blocker to exposing private state data in terraform-plugin-testing.

As of v1.7.0, the testing framework uses the terraform show -json command to retrieve plan and state data, which is then marshaled to terraform-json structs for usage in plan/state checks.

The terraform show -json command currently isn't a "passthrough" for all data in the state file and the private field has not been added to the JSON output. Before we can add support in the testing framework, the Terraform CLI will need to be updated to return this private field.

Example State

{
  "version": 4,
  "terraform_version": "1.8.0",
  "serial": 3,
  "lineage": "dd9272a9-ab86-4166-d83b-d08ba2f78f34",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "examplecloud_thing",
      "name": "test",
      "provider": "provider[\"registry.terraform.io/austinvalle/sandbox\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "cities": {
              "computed": "true",
              "season": "spring"
            },
            "id": "123",
            "name": "john"
          },
          "sensitive_attributes": [],
          "private": "eyJoZWxsbyI6ImV5SnJaWGt4SWpvZ2RISjFaWDA9In0="
        }
      ]
    }
  ],
  "check_results": null
}

State show output

 $ terraform show -json terraform.tfstate | jq

{
  "format_version": "1.0",
  "terraform_version": "1.8.0",
  "values": {
    "root_module": {
      "resources": [
        {
          "address": "examplecloud_thing.test",
          "mode": "managed",
          "type": "examplecloud_thing",
          "name": "test",
          "provider_name": "registry.terraform.io/austinvalle/sandbox",
          "schema_version": 0,
          "values": {
            "cities": {
              "computed": "true",
              "season": "spring"
            },
            "id": "123",
            "name": "john"
          },
          "sensitive_values": {
            "cities": {}
          }
        }
      ]
    }
  }
}
marshallford commented 7 months ago

Thank you for the info and apologies if this was already well known!

austinvalle commented 7 months ago

Thank you for the info and apologies if this was already well known!

No worries! We don't have this specific situation of "private field missing" documented anywhere, so thanks for opening the issue! We can use this to gauge general interest in the feature from a provider testing perspective.

An issue can be created in the main Terraform repository to ask for that support in terraform show -json. Once added over there, updating terraform-json and this testing framework will be relatively straightforward 🙂

gdavison commented 6 days ago

I've created https://github.com/hashicorp/terraform/issues/35941.

This is definitely something we'll want when we add private state data in the AWS Provider